“We are not the bad guys. We are the good guys that do bad things.”
That was the response online vigilantes SMRT Feedback gave when asked to comment on the hacking of the Securities Investors Association of Singapore (SIAS) database.
SIAS had on Wednesday (Jul 25) announced that their website has been compromised and that personal details of their 70,000 members may have been illegally accessed. They were alerted to the breach by the Cyber Security Agency of Singapore (CSA) who received an anonymous tip-off.
Observer+ found out later the anonymous tip-off came from SMRT Feedback.
According to the vigilantes, the breach that happened in 2013-2014 was made possible due to insecure protocols and the absence of a web application firewall.
In a follow-up email by the fiercely anonymous group, SMRT Feedback said the breach happened due to a security vulnerability on their website, which allowed for hackers to access the SIAS database. The hacking technique used is known as SQL injection.
SQL injection is one of the most common types of hacking techniques. It allows hackers to ‘inject’ malicious codes into the target website to manipulate and exploit database commands.
A preliminary check by SMRT Feedback had shown that SIAS installed a security certificate and implemented a firewall system recently which rendered further SQL injection obsolete, although not with 100% certainty.
Tracing of perpetrators can also be difficult.
They added, “there are other forensic techniques that can be done but seeing that the breach happened 5 years ago, we do not think most websites would even keep logs for that long.”
SMRT Feedback said that a robust web application firewall can help in preventing such attacks in the future. They noted SIAS had used a firewall from a well-known security company called Sucuri which they believed was only implemented recently. The vigilantes believed the security upgrade helped with preventing further breaches.
The vigilantes also lauded the timely action by CSA and SIAS in handling the situation and reminded the public that they should not conveniently blame the authorities everytime a security breach happens.
“The internet is still a wild place. Anything can happen, and not even the brightest of computer experts can prevent any attacks. The public should be mindful of victim-blaming and be more understandable of the situation at hand.”
When asked if SMRT Feedback is currently cooperating with CSA or the SIAS, they said that any correspondence will be limited owing to their anonymity. They also believed that it’s precisely because of their anonymity that they are able to do what they do.
“We can do what we do because we are anonymous. We are limitless. Today you see us, tomorrow you don’t. We see, hear, eat everything.”